-
Notifications
You must be signed in to change notification settings - Fork 238
105 lines (100 loc) · 3.69 KB
/
build_sign_release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Purpose: Build, sign, and check a draft release
name: Build and Draft Release
on:
workflow_dispatch:
inputs:
# checkov:skip=CKV_GHA_7:Manual inputs are desired.
releaseName:
description: "Release Name"
required: true
type: string
# Note: This is NOT the ACTUAL release version for ScubaGear.
# That value is found in ScubaGear.psd1.
# This is only used for things like the file name.
# Yes, this is a disconnect that violates DRY.
version:
description: "Release Version (e.g., 1.2.4)"
required: true
type: string
runQuickCheck:
description: "Run a quick check of release"
required: false
type: boolean
default: true
permissions: read-all
jobs:
build-and-draft:
name: Build and Draft Release
runs-on: windows-latest
environment: Development
env:
RELEASE_VERSION: ${{ inputs.version }}
permissions:
id-token: write
contents: write
defaults:
run:
shell: powershell
# This condition prevents duplicate runs.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
steps:
- name: Checkout
uses: actions/checkout@v4
with:
path: repo
- name: Install Azure Signing Tool
run: |
dotnet --version
dotnet tool install --global AzureSignTool --version 5.0.0
# OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
- name: Login to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Get Key Vault info
id: key-vault-info
env:
KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}}
run: |
$KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json
echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT
echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT
- name: Sign Module
run: |
# Source the function
. repo/utils/workflow/Build-SignRelease.ps1
New-ModuleSignature `
-AzureKeyVaultUrl ${{ steps.key-vault-info.outputs.KeyVaultUrl }} `
-CertificateName ${{ steps.key-vault-info.outputs.KeyVaultCertificateName }} `
-ReleaseVersion ${env:RELEASE_VERSION}
- name: Create Release
uses: softprops/action-gh-release@v1
id: create-release
with:
draft: true
prerelease: false
name: ${{ inputs.releaseName }}
tag_name: v${{ inputs.version }}
files: ScubaGear-${{ inputs.version }}.zip
generate_release_notes: true
fail_on_unmatched_files: true
- name: Download Release
uses: dsaltares/fetch-gh-release-asset@1.1.1
if: ${{ inputs.runQuickCheck }}
with:
version: ${{ steps.create-release.outputs.id}}
file: "ScubaGear-${{ inputs.version }}.zip"
- name: Quick Check Release
if: ${{ inputs.runQuickCheck }}
run: |
# Source the function
. repo/utils/workflow/Build-SignRelease.ps1
Test-Release -Version ${{ inputs.version }}
# Expand-Archive -Path "ScubaGear-${{ inputs.version }}.zip"
# Get-ChildItem
# Set-Location -Path "ScubaGear-${{ inputs.version }}"
# Import-Module -Name .\PowerShell\ScubaGear\ScubaGear.psd1
# Invoke-SCuBA -Version